Overview

overview

10

Static

static

3

das.exe

windows7-x64

10

das.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    1796s
  • max time network
    1799s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-11-2024 01:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    das.exe

  • Size

    3.2MB

  • MD5

    fc9dc72efa9a2558f092277889483177

  • SHA1

    ae8629a0c0f52c3e6d2aaafc5b2e1f1bbd477747

  • SHA256

    fe3a99da0e96c690ea206dd08b6deb4bb53acd214118f59229e37d00aa0d5b73

  • SHA512

    4329fc1e1b6c556f628c9f3bdcab2e34ebe5a4fade9dcac59010581389613af19e1f8afffaeb495d952dc67dc591ae5c270c79ceafe6ec8e0f4b5b97f31df255

  • SSDEEP

    49152:dTM2IVKyc1Egr0NBwq2dpOyMN5zAI24A8cSSa9+VYt2S6SMrM0LJxIuXwsL:dTcVKyc300q2dpVMH7HBcKmbJWuXwsL

Score
10/10
quasarxwormdumby bo got ratted lololdefense_evasiondiscoverypersistenceratspywaretrojan

Malware Config

Extracted

Family

xworm

C2

important-machines.gl.at.ply.gg:7974

Attributes
  • Install_directory

    %Public%

  • install_file

    USB.exe

Extracted

Family

quasar

Version

1.4.1

Botnet

dumby bo got ratted LOLOL

C2

p-surplus.gl.at.ply.gg:7938

Mutex

6f229673-e6d0-41b5-a1e4-1cbc29eeffd8

Attributes
  • encryption_key

    84EEFDB37698E582E7732B4568EC490426D1D6DF

  • install_name

    d1aler.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Java updater

  • subdirectory

    SubDir

Signatures

  • Detect Xworm Payload 2 IoCs
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 7 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Obfuscated Files or Information: Command Obfuscation 1 TTPs

    Adversaries may obfuscate content during command execution to impede detection.

    defense_evasion
  • Drops file in System32 directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Runs regedit.exe 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 7 IoCs
  • Suspicious use of SendNotifyMessage 7 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\das.exe
    "C:\Users\Admin\AppData\Local\Temp\das.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2972
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AaABlACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAZQB2ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHkAbABzACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAcwBwACMAPgA="
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3616
    • C:\Users\Admin\AppData\Local\Temp\adsdas.exe
      "C:\Users\Admin\AppData\Local\Temp\adsdas.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3940
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "RegEdit" /tr "C:\Users\Public\RegEdit"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2332
    • C:\Users\Admin\AppData\Local\Temp\RegEdit.exe
      "C:\Users\Admin\AppData\Local\Temp\RegEdit.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Runs regedit.exe
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3760
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "Java updater" /sc ONLOGON /tr "C:\Windows\system32\SubDir\d1aler.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1980
      • C:\Windows\system32\SubDir\d1aler.exe
        "C:\Windows\system32\SubDir\d1aler.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1424
        • C:\Windows\SYSTEM32\schtasks.exe
          "schtasks" /create /tn "Java updater" /sc ONLOGON /tr "C:\Windows\system32\SubDir\d1aler.exe" /rl HIGHEST /f
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:1968
        • C:\Windows\SYSTEM32\schtasks.exe
          "schtasks" /delete /tn "Java updater" /f
          4⤵
            PID:2540
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hdHJxslrmp6E.bat" "
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1784
            • C:\Windows\system32\chcp.com
              chcp 65001
              5⤵
                PID:2864
              • C:\Windows\system32\PING.EXE
                ping -n 10 localhost
                5⤵
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:5060
      • C:\Users\Public\RegEdit
        C:\Users\Public\RegEdit
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:3860
      • C:\Users\Public\RegEdit
        C:\Users\Public\RegEdit
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1980
      • C:\Users\Public\RegEdit
        C:\Users\Public\RegEdit
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4536
      • C:\Users\Public\RegEdit
        C:\Users\Public\RegEdit
        1⤵
        • Checks computer location settings
        • Drops startup file
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3312
        • C:\Windows\System32\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "RegEdit" /tr "C:\Users\Public\RegEdit"
          2⤵
          • Scheduled Task/Job: Scheduled Task
          PID:3912

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Defense Evasion

      Modify Registry

      1
      T1112

      Obfuscated Files or Information

      1
      T1027

      Command Obfuscation

      1
      T1027.010

      Credential Access

      Discovery

      Query Registry

      2
      T1012

      Remote System Discovery

      1
      T1018

      System Information Discovery

      2
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      System Network Configuration Discovery

      1
      T1016

      Internet Connection Discovery

      1
      T1016.001

      Lateral Movement

      Collection

      Command and Control

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RegEdit.log
        Filesize

        654B

        MD5

        2ff39f6c7249774be85fd60a8f9a245e

        SHA1

        684ff36b31aedc1e587c8496c02722c6698c1c4e

        SHA256

        e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

        SHA512

        1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RegEdit.exe
        Filesize

        3.1MB

        MD5

        bfacb0c11a720d61c03412d7f68fb8df

        SHA1

        06c5304b3d6d75734ae3f8f30c9486dd855f0335

        SHA256

        e8156e44befb5335f9c18acdd0d428c3a8fa316546a71fbbbd2c64c08f697a3e

        SHA512

        89a8dcf157e7b390f946925273d34c3f6bf2cdef62e2908f96ceb64e4dbd12d5cb353c7b0e2a37ff59187dd33d3c95ab640295c433ff8e4df760baca3a127cda

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ijl1xfn0.0iv.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\adsdas.exe
        Filesize

        76KB

        MD5

        614861a9ba2fcb5116a7882fac727556

        SHA1

        93421896f28e1b879ef4bed5803e1492b1e0c657

        SHA256

        5adf655e3c1cd454ea3575c60ccddfe9c7cbe4b67c2eacbca3987e06cef595ac

        SHA512

        41abb5fbb09109e9947713d8559f5d61e4e1f1037b5d26fe929ae69ce6f9bdb86dc278b5f37bd56f1a75a33b144fcd834e836f73ea2ecab96aeab632a82845e9

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\hdHJxslrmp6E.bat
        Filesize

        200B

        MD5

        61b3e3c4921aaac126e6816759302592

        SHA1

        4e908d98705c1596ae0976ee4ab35b827380c824

        SHA256

        07c88c9c741dc63c73e687f24ce20c63fdc4e4ff5fc9919aa8e4ef85db917ed2

        SHA512

        35d615c5004bc4835d67a6034fa29168069e5eb26f673dbc99b943e1f8be80e9dc961bc51accbd2650cdf6740efa8e87b4e2698222f49748ee11c4aa7ba5226d

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegEdit.lnk
        Filesize

        960B

        MD5

        6ae008d0d5c96ae7f2eff3149e68b281

        SHA1

        92bb5b764e33a0a0b5db3bc22478641babd115ed

        SHA256

        0bf954e2ef2d390dc03b18f0894cd6cf38e80b1516e2beba453ba81349f093a6

        SHA512

        7aede0667dc761e14b83bf476beca12b30e1b4ed5f77beb672ae59fd0c034de8b63f8445e80d50466e1b7e97b4cc07dc620c5698d877251405e8c7865653625a

        Download Submit

      • memory/1424-86-0x000000001D4E0000-0x000000001D51C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/1424-85-0x000000001C960000-0x000000001C972000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1424-75-0x000000001C9E0000-0x000000001CA92000-memory.dmp

        Filesize

        712KB

        Download

      • memory/1424-73-0x000000001C8D0000-0x000000001C920000-memory.dmp

        Filesize

        320KB

        Download

      • memory/3616-72-0x0000000007F00000-0x0000000007F0E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/3616-54-0x00000000751C0000-0x000000007520C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/3616-33-0x0000000006330000-0x0000000006396000-memory.dmp

        Filesize

        408KB

        Download

      • memory/3616-25-0x00000000033F0000-0x0000000003426000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3616-32-0x00000000062C0000-0x0000000006326000-memory.dmp

        Filesize

        408KB

        Download

      • memory/3616-43-0x00000000063A0000-0x00000000066F4000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/3616-44-0x0000000006990000-0x00000000069AE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/3616-45-0x00000000069D0000-0x0000000006A1C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/3616-31-0x00000000059C0000-0x00000000059E2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/3616-53-0x0000000006F70000-0x0000000006FA2000-memory.dmp

        Filesize

        200KB

        Download

      • memory/3616-64-0x0000000007B60000-0x0000000007B7E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/3616-76-0x0000000007FF0000-0x000000000800A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/3616-65-0x0000000007B90000-0x0000000007C33000-memory.dmp

        Filesize

        652KB

        Download

      • memory/3616-67-0x0000000007CC0000-0x0000000007CDA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/3616-66-0x0000000008300000-0x000000000897A000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/3616-29-0x0000000073C3E000-0x0000000073C3F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3616-69-0x0000000007D30000-0x0000000007D3A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/3616-70-0x0000000007F50000-0x0000000007FE6000-memory.dmp

        Filesize

        600KB

        Download

      • memory/3616-71-0x0000000007EC0000-0x0000000007ED1000-memory.dmp

        Filesize

        68KB

        Download

      • memory/3616-27-0x0000000003460000-0x0000000003470000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3616-30-0x0000000005C20000-0x0000000006248000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/3616-77-0x0000000007F40000-0x0000000007F48000-memory.dmp

        Filesize

        32KB

        Download

      • memory/3616-74-0x0000000007F10000-0x0000000007F24000-memory.dmp

        Filesize

        80KB

        Download

      • memory/3760-52-0x00007FFE6D830000-0x00007FFE6E2F1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3760-28-0x000000001BBA0000-0x000000001BBB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3760-26-0x00007FFE6D830000-0x00007FFE6E2F1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3760-24-0x0000000000C90000-0x0000000000FB4000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/3940-68-0x0000000002540000-0x0000000002550000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3940-87-0x0000000002540000-0x0000000002550000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3940-20-0x00000000004A0000-0x00000000004BA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/3940-19-0x00007FFE6D833000-0x00007FFE6D835000-memory.dmp

        Filesize

        8KB

        Download